systemd System and Service Manager
-CHANGES WITH 241 in spe:
+CHANGES WITH 243 in spe:
+
+ * This release enables unprivileged programs (i.e. requiring neither
+ setuid nor file capabilities) to send ICMP Echo (i.e. ping) requests
+ by turning on the "net.ipv4.ping_group_range" sysctl of the Linux
+ kernel for the whole UNIX group range, i.e. all processes. This
+ change should be reasonably safe, as the kernel support for it was
+ specifically implemented to allow safe access to ICMP Echo for
+ processes lacking any privileges. If this is not desirable, it can be
+ disabled again by setting the parameter to "1 0".
+
+ * Previously, filters defined with SystemCallFilter= would have the
+ effect that any calling of an offending system call would terminate
+ the calling thread. This behaviour never made much sense, since
+ killing individual threads of unsuspecting processes is likely to
+ create more problems than it solves. With this release the default
+ action changed from killing the thread to killing the whole
+ process. For this to work correctly both a kernel version (>= 4.14)
+ and a libseccomp version (>= 2.4.0) supporting this new seccomp
+ action is required. If an older kernel or libseccomp is used the old
+ behaviour continues to be used. This change does not affect any
+ services that have no system call filters defined, or that use
+ SystemCallErrorNumber= (and thus see EPERM or another error instead
+ of being killed when calling an offending system call). Note that
+ systemd documentation always claimed that the whole process is
+ killed. With this change behaviour is thus adjusted to match the
+ documentation.
+
+ * On 64 bit systems, the "kernel.pid_max" sysctl is now bumped to
+ 4194304 by default, i.e. the full 22bit range the kernel allows, up
+ from the old 16bit range. This should improve security and
+ robustness, as PID collisions are made less likely (though certainly
+ still possible). There are rumours this might create compatibility
+ problems, though at this moment no practical ones are known to
+ us. Downstream distributions are hence advised to undo this change in
+ their builds if they are concerned about maximum compatibility, but
+ for everybody else we recommend leaving the value bumped. Besides
+ improving security and robustness this should also simplify things as
+ the maximum number of allowed concurrent tasks was previously bounded
+ by both "kernel.pid_max" and "kernel.threads-max" and now effectively
+ only a single knob is left ("kernel.threads-max"). There have been
+ concerns that usability is affected by this change because larger PID
+ numbers are harder to type, but we believe the change from 5 digits
+ to 7 digits doesn't hamper usability.
+
+ * MemoryLow= and MemoryMin= gained hierarchy-aware counterparts,
+ DefaultMemoryLow= and DefaultMemoryMin=, which can be used to
+ hierarchically set default memory protection values for a particular
+ subtree of the unit hierarchy.
+
+ * Memory protection directives can now take a value of zero, allowing
+ explicit opting out of a default value propagated by an ancestor.
+
+ * systemd now defaults to the "unified" cgroup hierarchy setup during
+ build-time, i.e. -Ddefault-hierarchy=unified is now the build-time
+ default. Previously, -Ddefault-hierarchy=hybrid was the default. This
+ change reflects the fact that cgroupsv2 support has matured
+ substantially in both systemd and in the kernel, and is clearly the
+ way forward. Downstream production distributions might want to
+ continue to use -Ddefault-hierarchy=hybrid (or even =legacy) for
+ their builds as unfortunately the popular container managers have not
+ caught up with the kernel API changes.
+
+ * Man pages are not built by default anymore (html pages were already
+ disabled by default), to make development builds quicker. When
+ building systemd for a full installation with documentation, meson
+ should be called with -Dman=true and/or -Dhtml=true as appropriate.
+ The default was changed based on the assumption that quick one-off or
+ repeated development builds are much more common than full optimized
+ builds for installation, and people need to pass various other
+ options to when doing "proper" builds anyway, so the gain from making
+ development builds quicker is bigger than the one time disruption for
+ packagers.
+
+ Two scripts are created in the *build* directory to generate and
+ preview man and html pages on demand, e.g.:
+
+ build/man/man systemctl
+ build/man/html systemd.index
+
+ * libidn2 is used by default if both libidn2 and libidn are installed.
+ Please use -Dlibidn=true if libidn is preferred.
+
+ * The D-Bus "wire format" of the CPUAffinity= attribute is changed on
+ big-endian machines. Before, bytes were written and read in native
+ machine order as exposed by the native libc __cpu_mask interface.
+ Now, little-endian order is always used (CPUs 0–7 are described by
+ bits 0–7 in byte 0, CPUs 8–15 are described by byte 1, and so on).
+ This change fixes D-Bus calls that cross endianness boundary.
+
+ The presentation format used for CPUAffinity= by "systemctl show" and
+ "systemd-analyze dump" is changed to present CPU indices instead of
+ the raw __cpu_mask bitmask. For example, CPUAffinity=0-1 would be
+ shown as CPUAffinity=03000000000000000000000000000… (on
+ little-endian) or CPUAffinity=00000000000000300000000000000… (on
+ 64-bit big-endian), and is now shown as CPUAffinity=0-1, matching the
+ input format. The maximum integer that will be printed in the new
+ format is 8191 (four digits), while the old format always used a very
+ long number (with the length varying by architecture), so they can be
+ unambiguously distinguished.
+
+ * /usr/sbin/halt.local is no longer supported. Implementation in
+ distributions was inconsistent and it seems this functionality was
+ very rarely used.
+
+ To replace this functionality, users should:
+ - either define a new unit and make it a dependency of final.target
+ (systemctl add-wants final.target my-halt-local.service)
+ - or move the shutdown script to /usr/lib/systemd/system-shutdown/
+ and ensure that it accepts "halt", "poweroff", "reboot", and
+ "kexec" as an argument, see the description in systemd-shutdown(8).
+
+ * When a [Match] section in .link or .network file is empty (contains
+ no match patterns), a warning will be emitted. Please add any "match
+ all" pattern instead, e.g. OriginalName=* or Name=* in case all
+ interfaces should really be matched.
+
+ * A new setting NUMAPolicy= may be used to set process memory
+ allocation policy. This setting can be specified in
+ /etc/systemd/system.conf and hence will set the default policy for
+ PID1. The default policy can be overridden on a per-service
+ basis. The related setting NUMAMask= is used to specify NUMA node
+ mask that should be associated with the selected policy.
+
+ * PID 1 will now listen to Out-Of-Memory (OOM) events the kernel
+ generates when processes it manages are reaching their memory limits,
+ and will place their units in a special state, and optionally kill or
+ stop the whole unit.
+
+ * The service manager will now expose bus properties for the IO
+ resources used by units. This information is also shown in "systemctl
+ status" now (for services that have IOAccounting=yes set). Moreover,
+ the IO accounting data is included in the resource log message
+ generated whenever a unit stops.
+
+ * Units may now configure an explicit time-out to wait for when killed
+ with SIGABRT, for example when a service watchdog is hit. Previously,
+ the regular TimeoutStopSec= time-out was applied in this case too —
+ now a separate time-out may be set using TimeoutAbortSec=.
+
+ * Services may now send a special WATCHDOG=trigger message with
+ sd_notify() to trigger an immediate "watchdog missed" event, and thus
+ trigger service termination. This is useful both for testing watchdog
+ handling, but also for defining error paths in services, that shall
+ be handled the same way as watchdog events.
+
+ * There are two new per-unit settings IPIngressFilterPath= and
+ IPEgressFilterPath= which allow configuration of a BPF program
+ (usually by specifying a path to a program uploaded to /sys/fs/bpf/)
+ to apply to the IP packet ingress/egress path of all processes of a
+ unit. This is useful to allow running systemd services with BPF
+ programs set up externally.
+
+ * systemctl gained a new "clean" verb for removing the state, cache,
+ runtime or logs directories of a service while it is terminated. The
+ new verb may also be used to remove the state maintained on disk for
+ timer units that have Persistent= configured.
+
+ * During the last phase of shutdown systemd will now automatically
+ increase the log level configured in the "kernel.printk" sysctl so
+ that any relevant loggable events happening during late shutdown are
+ made visible. Previously, loggable events happening so late during
+ shutdown were generally lost if the "kernel.printk" sysctl was set to
+ high thresholds, as regular logging daemons are terminated at that
+ time and thus nothing is written to disk.
+
+ * If processes terminated during the last phase of shutdown do not exit
+ quickly systemd will now show their names after a short time, to make
+ debugging easier. After a longer time-out they are forcibly killed,
+ as before.
+
+ * journalctl (and the other tools that display logs) will now highlight
+ warnings in yellow (previously, both LOG_NOTICE and LOG_WARNING where
+ shown in bright bold, now only LOG_NOTICE is). Moreover, audit logs
+ are now shown in blue color, to separate them visually from regular
+ logs. References to configuration files are now turned into clickable
+ links on terminals that support that.
+
+ * systemd-journald will now stop logging to /var/log/journal during
+ shutdown when /var/ is on a separate mount, so that it can be
+ unmounted safely during shutdown.
+
+ * systemd-resolved gained support for a new 'strict' DNS-over-TLS mode.
+
+ * systemd-resolved "Cache=" configuration option in resolved.conf has
+ been extended to also accept the 'no-negative' value. Previously,
+ only a boolean option was allowed (yes/no), having yes as the
+ default. If this option is set to 'no-negative', negative answers are
+ not cached while the old cache heuristics are used positive answers.
+ The default remains unchanged.
+
+ * The predictable naming scheme for network devices now supports
+ generating predictable names for "netdevsim" devices.
+
+ Moreover, the "en" prefix was dropped from the ID_NET_NAME_ONBOARD
+ udev property.
+
+ Those two changes form a new net.naming-policy-scheme= entry.
+ Distributions which want to preserve naming stability may want to set
+ the -Ddefault-net-naming-scheme= configuration option.
+
+ * systemd-networkd now supports MACsec, nlmon, IPVTAP and Xfrm
+ interfaces natively.
+
+ * systemd-networkd's bridge FDB support now allows configuration of a
+ destination address for each entry (Destination=), as well as the
+ VXLAN VNI (VNI=), as well as an option to declare what an entry is
+ associated with (AssociatedWith=).
+
+ * systemd-networkd's DHCPv4 support now understands a new MaxAttempts=
+ option for configuring the maximum number of DHCP lease requests. It
+ also learnt a new BlackList= option for blacklisting DHCP servers (a
+ similar setting has also been added to the IPv6 RA client), as well
+ as a SendRelease= option for configuring whether to send a DHCP
+ RELEASE message when terminating.
+
+ * systemd-networkd's DHCPv4 and DHCPv6 stacks can now be configured
+ separately in the [DHCPv4] and [DHCPv6] sections.
+
+ * systemd-networkd's DHCP support will now optionally create an
+ implicit host route to the DNS server specified in the DHCP lease, in
+ addition to the routes listed explicitly in the lease. This should
+ ensure that in multi-homed systems DNS traffic leaves the systems on
+ the interface that acquired the DNS server information even if other
+ routes such as default routes exist. This behaviour may be turned on
+ with the new RoutesToDNS= option.
+
+ * systemd-networkd's VXLAN support gained a new option
+ GenericProtocolExtension= for enabling VXLAN Generic Protocol
+ Extension support, as well as IPDoNotFragment= for setting the IP
+ "Don't fragment" bit on outgoing packets. A similar option has been
+ added to the GENEVE support.
+
+ * In systemd-networkd's [Route] section you may now configure
+ FastOpenNoCookie= for configuring per-route TCP fast-open support, as
+ well as TTLPropagate= for configuring Label Switched Path (LSP) TTL
+ propagation. The Type= setting now supports local, broadcast,
+ anycast, multicast, any, xresolve routes, too.
+
+ * systemd-networkd's [Network] section learnt a new option
+ DefaultRouteOnDevice= for automatically configuring a default route
+ onto the network device.
+
+ * systemd-networkd's bridging support gained two new options ProxyARP=
+ and ProxyARPWifi= for configuring proxy ARP behaviour as well as
+ MulticastRouter= for configuring multicast routing behaviour. A new
+ option MulticastIGMPVersion= may be used to change bridge's multicast
+ Internet Group Management Protocol (IGMP) version.
+
+ * systemd-networkd's FooOverUDP support gained the ability to configure
+ local and peer IP addresses via Local= and Peer=. A new option
+ PeerPort= may be used to configure the peer's IP port.
+
+ * systemd-networkd's TUN support gained a new setting VnetHeader= for
+ tweaking Generic Segment Offload support.
+
+ * networkctl gained a new "delete" command for removing virtual network
+ devices, as well as a new "--stats" switch for showing device
+ statistics.
+
+ * networkd.conf gained a new setting SpeedMeter= and
+ SpeedMeterIntervalSec=, to measure bitrate of network interfaces. The
+ measured speed may be shown by 'networkctl status'.
+
+ * "networkctl status" now displays MTU and queue lengths, and more
+ detailed information about VXLAN and bridge devices.
+
+ * systemd-networkd's .network and .link files gained a new Property=
+ setting in the [Match] section, to match against devices with
+ specific udev properties.
+
+ * systemd-networkd's tunnel support gained a new option
+ AssignToLoopback= for selecting whether to use the loopback device
+ "lo" as underlying device.
+
+ * systemd-networkd's MACAddress= setting in the [Neighbor] section has
+ been renamed to LinkLayerAddress=, and it now allows configuration of
+ IP addresses, too.
+
+ * A new tool systemd-network-generator has been added that may generate
+ .network, .netdev and .link files from IP configuration specified on
+ the kernel command line in the format used by Dracut.
+
+ * The CriticalConnection= setting in .network files is now deprecated,
+ and replaced by a new KeepConfiguration= setting which allows more
+ detailed configuration of the IP configuration to keep in place.
+
+ * systemd-analyze gained a few new verbs:
+
+ - "systemd-analyze timestamp" parses and converts timestamps. This is
+ similar to the existing "systemd-analyze calendar" command which
+ does the same for recurring calendar events.
+
+ - "systemd-analyze timespan" parses and converts timespans (i.e.
+ durations as opposed to points in time).
+
+ - "systemd-analyze condition" will parse and test ConditionXYZ=
+ expressions.
+
+ - "systemd-analyze exit-status" will parse and convert exit status
+ codes to their names and back.
+
+ - "systemd-analyze unit-files" will print a list of all unit
+ file paths and unit aliases.
+
+ * SuccessExitStatus=, RestartPreventExitStatus=, and
+ RestartForceExitStatus= now accept exit status names (e.g. "DATAERR"
+ is equivalent to "65"). Those exit status name mappings may be
+ displayed with the sytemd-analyze exit-status verb describe above.
+
+ * systemd-logind now exposes a per-session SetBrightness() bus call,
+ which may be used to securely change the brightness of a kernel
+ brightness device, if it belongs to the session's seat. By using this
+ call unprivileged clients can make changes to "backlight" and "leds"
+ devices securely with strict requirements on session membership.
+ Desktop environments may use this to generically make brightness
+ changes to such devices without shipping private SUID binaries or
+ udev rules for that purpose.
+
+ * "udevadm info" gained a --wait-for-initialization switch to wait for
+ a device to be initialized.
+
+ * systemd-hibernate-resume-generator will now look for resumeflags= on
+ the kernel command line, which is similar to rootflags= and may be
+ used to configure device timeout for the hibernation device.
+
+ * sd-event learnt a new API call sd_event_source_disable_unref() for
+ disabling and unref'ing an event source in a single function. A
+ related call sd_event_source_disable_unrefp() has been added for use
+ with gcc's cleanup extension.
+
+ * The sd-id128.h public API gained a new definition
+ SD_ID128_UUID_FORMAT_STR for formatting a 128bit ID in UUID format
+ with printf().
+
+ * "busctl introspect" gained a new switch --xml-interface for dumping
+ XML introspection data unmodified.
+
+ * PID 1 may now show the unit name instead of the unit description
+ string in its status output during boot. This may be configured in
+ the StatusUnitFormat= setting in /etc/systemd/system.conf or the
+ kernel command line option systemd.status_unit_format=.
+
+ * PID 1 now understands a new option KExecWatchdogSec= in
+ /etc/systemd/system.conf to set a watchdog timeout for kexec reboots.
+ Previously watchdog functionality was only available for regular
+ reboots. The new setting defaults to off, because we don't know in
+ the general case if the watchdog will be reset after kexec (some
+ drivers do reset it, but not all), and the new userspace might not be
+ configured to handle the watchdog.
+
+ Moreover, the old ShutdownWatchdogSec= setting has been renamed to
+ RebootWatchdogSec= to more clearly communicate what it is about. The
+ old name is still accepted for compatibility.
+
+ * The systemd.debug_shell kernel command line option now optionally
+ takes a tty name to spawn the debug shell on, which allows a
+ different tty to be selected than the built-in default.
+
+ * Service units gained a new ExecCondition= setting which will run
+ before ExecStartPre= and either continue execution of the unit (for
+ clean exit codes), stop execution without marking the unit failed
+ (for exit codes 1 through 254), or stop execution and fail the unit
+ (for exit code 255 or abnormal termination).
+
+ * A new service systemd-pstore.service has been added that pulls data
+ from /sys/fs/pstore/ and saves it to /var/lib/pstore for later
+ review.
+
+ * timedatectl gained new verbs for configuring per-interface NTP
+ service configuration for systemd-timesyncd.
+
+ * "localectl list-locales" won't list non-UTF-8 locales anymore. It's
+ 2019. (You can set non-UTF-8 locales though, if you know their name.)
+
+ * If variable assignments in sysctl.d/ files are prefixed with "-" any
+ failures to apply them are now ignored.
+
+ * systemd-random-seed.service now optionally credits entropy when
+ applying the seed to the system. Set $SYSTEMD_RANDOM_SEED_CREDIT to
+ true for the service to enable this behaviour, but please consult the
+ documentation first, since this comes with a couple of caveats.
+
+ * systemd-random-seed.service is now a synchronization point for full
+ initialization of the kernel's entropy pool. Services that require
+ /dev/urandom to be correctly initialized should be ordered after this
+ service.
+
+ * The systemd-boot boot loader has been updated to optionally maintain
+ a random seed file in the EFI System Partition (ESP). During the boot
+ phase, this random seed is read and updated with a new seed
+ cryptographically derived from it. Another derived seed is passed to
+ the OS. The latter seed is then credited to the kernel's entropy pool
+ very early during userspace initialization (from PID 1). This allows
+ systems to boot up with a fully initialized kernel entropy pool from
+ earliest boot on, and thus entirely removes all entropy pool
+ initialization delays from systems using systemd-boot. Special care
+ is taken to ensure different seeds are derived on system images
+ replicated to multiple systems. "bootctl status" will show whether
+ a seed was received from the boot loader.
+
+ * bootctl gained two new verbs:
+
+ - "bootctl random-seed" will generate the file in ESP and an EFI
+ variable to allow a random seed to be passed to the OS as described
+ above.
+
+ - "bootctl is-installed" checks whether systemd-boot is currently
+ installed.
+
+ * bootctl will warn if it detects that boot entries are misconfigured
+ (for example if the kernel image was removed without purging the
+ bootloader entry).
+
+ * A new document has been added describing systemd's use and support
+ for the kernel's entropy pool subsystem:
+
+ https://systemd.io/RANDOM_SEEDS
+
+ * When the system is hibernated the swap device to write the
+ hibernation image to is now automatically picked from all available
+ swap devices, preferring the swap device with the highest configured
+ priority over all others, and picking the device with the most free
+ space if there are multiple devices with the highest priority.
+
+ * /etc/crypttab support has learnt a new keyfile-timeout= per-device
+ option that permits selecting the timout how long to wait for a
+ device with an encryption key before asking for the password.
+
+ Contributions from: Aaron Barany, Adrian Bunk, Alan Jenkins, Andrej
+ Valek, Anita Zhang, Arian van Putten, Balint Reczey, Bastien Nocera,
+ Ben Boeckel, Benjamin Robin, camoz, Chen Qi, Chris Chiu, Chris Down,
+ Christian Kellner, Clinton Roy, Connor Reeder, Daniele Medri, Dan
+ Streetman, Dave Reisner, Dave Ross, David Art, David Tardon, Debarshi
+ Ray, Dominick Grift, Donald Buczek, Douglas Christman, Eric DeVolder,
+ Evgeny Vereshchagin, Feldwor, Felix Riemann, Florian Dollinger, Franck
+ Bui, Frantisek Sumsal, Franz Pletz, Hans de Goede, Iago López Galeiras,
+ Insun Pyo, Ivan Shapovalov, Iwan Timmer, Jack, Jakob Unterwurzacher,
+ Jan Klötzke, Jan Pokorný, Jan Synacek, Jeka Pats, Jérémy Rosen, Jiri
+ Pirko, Joe Lin, Joerg Behrmann, Joe Richey, Jóhann B. Guðmundsson,
+ Johannes Schmitz, Jonathan Rouleau, Jorge Niedbalski, Kai Lüke, Karel
+ Zak, Kashyap Chamarthy, Krayushkin Konstantin, Lennart Poettering,
+ Lubomir Rintel, Luca Boccassi, Luís Ferreira, Marc-André Lureau, Markus
+ Felten, Martin Pitt, Michael Biebl, Michael Olbrich, Michael Prokop,
+ Michael Stapelberg, Michael Zhivich, Michal Koutný, Michal Sekletar,
+ Mike Gilbert, Milan Broz, mpe85, Network Silence, Oliver Harley,
+ pan93412, Paul Menzel, pEJipE, Peter A. Bigot, Philip Withnall, Piotr
+ Drąg, Rafael Fontenelle, Roberto Santalla, root, RussianNeuroMancer,
+ Sebastian Jennen, shinygold, Shreyas Behera, Simon Schricker, Susant
+ Sahani, Thadeu Lima de Souza Cascardo, Theo Ouzhinski, Thiebaud
+ Weksteen, Thomas Haller, Thomas Weißschuh, Tomas Mraz, Topi Miettinen,
+ ven, Wieland Hoffmann, Xi Ruoyao, Yuri Chornoivan, Yu Watanabe, Zach
+ Smith, Zbigniew Jędrzejewski-Szmek, Zhang Xianwei
+
+ – Somewhere, SOME-TI-ME
+
+CHANGES WITH 242:
+
+ * In .link files, MACAddressPolicy=persistent (the default) is changed
+ to cover more devices. For devices like bridges, tun, tap, bond, and
+ similar interfaces that do not have other identifying information,
+ the interface name is used as the basis for persistent seed for MAC
+ and IPv4LL addresses. The way that devices that were handled
+ previously is not changed, and this change is about covering more
+ devices then previously by the "persistent" policy.
+
+ MACAddressPolicy=random may be used to force randomized MACs and
+ IPv4LL addresses for a device if desired.
+
+ Hint: the log output from udev (at debug level) was enhanced to
+ clarify what policy is followed and which attributes are used.
+ `SYSTEMD_LOG_LEVEL=debug udevadm test-builtin net_setup_link /sys/class/net/<name>`
+ may be used to view this.
+
+ Hint: if a bridge interface is created without any slaves, and gains
+ a slave later, then now the bridge does not inherit slave's MAC.
+ To inherit slave's MAC, for example, create the following file:
+ ```
+ # /etc/systemd/network/98-bridge-inherit-mac.link
+ [Match]
+ Type=bridge
+
+ [Link]
+ MACAddressPolicy=none
+ ```
+
+ * The .device units generated by systemd-fstab-generator and other
+ generators do not automatically pull in the corresponding .mount unit
+ as a Wants= dependency. This means that simply plugging in the device
+ will not cause the mount unit to be started automatically. But please
+ note that the mount unit may be started for other reasons, in
+ particular if it is part of local-fs.target, and any unit which
+ (transitively) depends on local-fs.target is started.
+
+ * networkctl list/status/lldp now accept globbing wildcards for network
+ interface names to match against all existing interfaces.
+
+ * The $PIDFILE environment variable is set to point the absolute path
+ configured with PIDFile= for processes of that service.
+
+ * The fallback DNS server list was augmented with Cloudflare public DNS
+ servers. Use `-Ddns-servers=` to set a different fallback.
+
+ * A new special target usb-gadget.target will be started automatically
+ when a USB Device Controller is detected (which means that the system
+ is a USB peripheral).
+
+ * A new unit setting CPUQuotaPeriodSec= assigns the time period
+ relatively to which the CPU time quota specified by CPUQuota= is
+ measured.
+
+ * A new unit setting ProtectHostname= may be used to prevent services
+ from modifying hostname information (even if they otherwise would
+ have privileges to do so).
+
+ * A new unit setting NetworkNamespacePath= may be used to specify a
+ namespace for service or socket units through a path referring to a
+ Linux network namespace pseudo-file.
+
+ * The PrivateNetwork= setting and JoinsNamespaceOf= dependencies now
+ have an effect on .socket units: when used the listening socket is
+ created within the configured network namespace instead of the host
+ namespace.
+
+ * ExecStart= command lines in unit files may now be prefixed with ':'
+ in which case environment variable substitution is
+ disabled. (Supported for the other ExecXYZ= settings, too.)
+
+ * .timer units gained two new boolean settings OnClockChange= and
+ OnTimezoneChange= which may be used to also trigger a unit when the
+ system clock is changed or the local timezone is
+ modified. systemd-run has been updated to make these options easily
+ accessible from the command line for transient timers.
+
+ * Two new conditions for units have been added: ConditionMemory= may be
+ used to conditionalize a unit based on installed system
+ RAM. ConditionCPUs= may be used to conditionalize a unit based on
+ installed CPU cores.
+
+ * The @default system call filter group understood by SystemCallFilter=
+ has been updated to include the new rseq() system call introduced in
+ kernel 4.15.
+
+ * A new time-set.target has been added that indicates that the system
+ time has been set from a local source (possibly imprecise). The
+ existing time-sync.target is stronger and indicates that the time has
+ been synchronized with a precise external source. Services where
+ approximate time is sufficient should use the new target.
+
+ * "systemctl start" (and related commands) learnt a new
+ --show-transaction option. If specified brief information about all
+ jobs queued because of the requested operation is shown.
+
+ * systemd-networkd recognizes a new operation state 'enslaved', used
+ (instead of 'degraded' or 'carrier') for interfaces which form a
+ bridge, bond, or similar, and an new 'degraded-carrier' operational
+ state used for the bond or bridge master interface when one of the
+ enslaved devices is not operational.
+
+ * .network files learnt the new IgnoreCarrierLoss= option for leaving
+ networks configured even if the carrier is lost.
+
+ * The RequiredForOnline= setting in .network files may now specify a
+ minimum operational state required for the interface to be considered
+ "online" by systemd-networkd-wait-online. Related to this
+ systemd-networkd-wait-online gained a new option --operational-state=
+ to configure the same, and its --interface= option was updated to
+ optionally also take an operational state specific for an interface.
+
+ * systemd-networkd-wait-online gained a new setting --any for waiting
+ for only one of the requested interfaces instead of all of them.
+
+ * systemd-networkd now implements L2TP tunnels.
+
+ * Two new .network settings UseAutonomousPrefix= and UseOnLinkPrefix=
+ may be used to cause autonomous and onlink prefixes received in IPv6
+ Router Advertisements to be ignored.
+
+ * New MulticastFlood=, NeighborSuppression=, and Learning= .network
+ file settings may be used to tweak bridge behaviour.
+
+ * The new TripleSampling= option in .network files may be used to
+ configure CAN triple sampling.
+
+ * A new .netdev settings PrivateKeyFile= and PresharedKeyFile= may be
+ used to point to private or preshared key for a WireGuard interface.
+
+ * /etc/crypttab now supports the same-cpu-crypt and
+ submit-from-crypt-cpus options to tweak encryption work scheduling
+ details.
+
+ * systemd-tmpfiles will now take a BSD file lock before operating on a
+ contents of directory. This may be used to temporarily exclude
+ directories from aging by taking the same lock (useful for example
+ when extracting a tarball into /tmp or /var/tmp as a privileged user,
+ which might create files with really old timestamps, which
+ nevertheless should not be deleted). For further details, see:
+
+ https://systemd.io/TEMPORARY_DIRECTORIES
+
+ * systemd-tmpfiles' h line type gained support for the
+ FS_PROJINHERIT_FL ('P') file attribute (introduced in kernel 4.5),
+ controlling project quota inheritance.
+
+ * sd-boot and bootctl now implement support for an Extended Boot Loader
+ (XBOOTLDR) partition, that is intended to be mounted to /boot, in
+ addition to the ESP partition mounted to /efi or /boot/efi.
+ Configuration file fragments, kernels, initrds and other EFI images
+ to boot will be loaded from both the ESP and XBOOTLDR partitions.
+ The XBOOTLDR partition was previously described by the Boot Loader
+ Specification, but implementation was missing in sd-boot. Support for
+ this concept allows using the sd-boot boot loader in more
+ conservative scenarios where the boot loader itself is placed in the
+ ESP but the kernels to boot (and their metadata) in a separate
+ partition.
+
+ * A system may now be booted with systemd.volatile=overlay on the
+ kernel command line, which causes the root file system to be set up
+ an overlayfs mount combining the root-only root directory with a
+ writable tmpfs. In this setup, the underlying root device is not
+ modified, and any changes are lost at reboot.
+
+ * Similar, systemd-nspawn can now boot containers with a volatile
+ overlayfs root with the new --volatile=overlay switch.
+
+ * systemd-nspawn can now consume OCI runtime bundles using a new
+ --oci-bundle= option. This implementation is fully usable, with most
+ features in the specification implemented, but since this a lot of
+ new code and functionality, this feature should most likely not
+ be used in production yet.
+
+ * systemd-nspawn now supports various options described by the OCI
+ runtime specification on the command-line and in .nspawn files:
+ --inaccessible=/Inaccessible= may be used to mask parts of the file
+ system tree, --console=/--pipe may be used to configure how standard
+ input, output, and error are set up.
+
+ * busctl learned the `emit` verb to generate D-Bus signals.
+
+ * systemd-analyze cat-config may be used to gather and display
+ configuration spread over multiple files, for example system and user
+ presets, tmpfiles.d, sysusers.d, udev rules, etc.
+
+ * systemd-analyze calendar now takes an optional new parameter
+ --iterations= which may be used to show a maximum number of iterations
+ the specified expression will elapse next.
+
+ * The sd-bus C API gained support for naming method parameters in the
+ introspection data.
+
+ * systemd-logind gained D-Bus APIs to specify the "reboot parameter"
+ the reboot() system call expects.
+
+ * journalctl learnt a new --cursor-file= option that points to a file
+ from which a cursor should be loaded in the beginning and to which
+ the updated cursor should be stored at the end.
+
+ * ACRN hypervisor and Windows Subsystem for Linux (WSL) are now
+ detected by systemd-detect-virt (and may also be used in
+ ConditionVirtualization=).
+
+ * The behaviour of systemd-logind may now be modified with environment
+ variables $SYSTEMD_REBOOT_TO_FIRMWARE_SETUP,
+ $SYSTEMD_REBOOT_TO_BOOT_LOADER_MENU, and
+ $SYSTEMD_REBOOT_TO_BOOT_LOADER_ENTRY. They cause logind to either
+ skip the relevant operation completely (when set to false), or to
+ create a flag file in /run/systemd (when set to true), instead of
+ actually commencing the real operation when requested. The presence
+ of /run/systemd/reboot-to-firmware-setup,
+ /run/systemd/reboot-to-boot-loader-menu, and
+ /run/systemd/reboot-to-boot-loader-entry, may be used by alternative
+ boot loader implementations to replace some steps logind performs
+ during reboot with their own operations.
+
+ * systemctl can be used to request a reboot into the boot loader menu
+ or a specific boot loader entry with the new --boot-load-menu= and
+ --boot-loader-entry= options to a reboot command. (This requires a
+ boot loader that supports this, for example sd-boot.)
+
+ * kernel-install will no longer unconditionally create the output
+ directory (e.g. /efi/<machine-id>/<kernel-version>) for boot loader
+ snippets, but will do only if the machine-specific parent directory
+ (i.e. /efi/<machine-id>/) already exists. bootctl has been modified
+ to create this parent directory during sd-boot installation.
+
+ This makes it easier to use kernel-install with plugins which support
+ a different layout of the bootloader partitions (for example grub2).
+
+ * During package installation (with `ninja install`), we would create
+ symlinks for getty@tty1.service, systemd-networkd.service,
+ systemd-networkd.socket, systemd-resolved.service,
+ remote-cryptsetup.target, remote-fs.target,
+ systemd-networkd-wait-online.service, and systemd-timesyncd.service
+ in /etc, as if `systemctl enable` was called for those units, to make
+ the system usable immediately after installation. Now this is not
+ done anymore, and instead calling `systemctl preset-all` is
+ recommended after the first installation of systemd.
+
+ * A new boolean sandboxing option RestrictSUIDSGID= has been added that
+ is built on seccomp. When turned on creation of SUID/SGID files is
+ prohibited.
+
+ * The NoNewPrivileges= and the new RestrictSUIDSGID= options are now
+ implied if DynamicUser= is turned on for a service. This hardens
+ these services, so that they neither can benefit from nor create
+ SUID/SGID executables. This is a minor compatibility breakage, given
+ that when DynamicUser= was first introduced SUID/SGID behaviour was
+ unaffected. However, the security benefit of these two options is
+ substantial, and the setting is still relatively new, hence we opted
+ to make it mandatory for services with dynamic users.
+
+ Contributions from: Adam Jackson, Alexander Tsoy, Andrey Yashkin,
+ Andrzej Pietrasiewicz, Anita Zhang, Balint Reczey, Beniamino Galvani,
+ Ben Iofel, Benjamin Berg, Benjamin Dahlhoff, Chris, Chris Morin,
+ Christopher Wong, Claudius Ellsel, Clemens Gruber, dana, Daniel Black,
+ Davide Cavalca, David Michael, David Rheinsberg, emersion, Evgeny
+ Vereshchagin, Filipe Brandenburger, Franck Bui, Frantisek Sumsal,
+ Giacinto Cifelli, Hans de Goede, Hugo Kindel, Ignat Korchagin, Insun
+ Pyo, Jan Engelhardt, Jonas Dorel, Jonathan Lebon, Jonathon Kowalski,
+ Jörg Sommer, Jörg Thalheim, Jussi Pakkanen, Kai-Heng Feng, Lennart
+ Poettering, Lubomir Rintel, Luís Ferreira, Martin Pitt, Matthias
+ Klumpp, Michael Biebl, Michael Niewöhner, Michael Olbrich, Michal
+ Sekletar, Mike Lothian, Paul Menzel, Piotr Drąg, Riccardo Schirone,
+ Robin Elvedi, Roman Kulikov, Ronald Tschalär, Ross Burton, Ryan
+ Gonzalez, Sebastian Krzyszkowiak, Stephane Chazelas, StKob, Susant
+ Sahani, Sylvain Plantefève, Szabolcs Fruhwald, Taro Yamada, Theo
+ Ouzhinski, Thomas Haller, Tobias Jungel, Tom Yan, Tony Asleson, Topi
+ Miettinen, unixsysadmin, Van Laser, Vesa Jääskeläinen, Yu, Li-Yu,
+ Yu Watanabe, Zbigniew Jędrzejewski-Szmek
+
+ — Warsaw, 2019-04-11
+
+CHANGES WITH 241:
* The default locale can now be configured at compile time. Otherwise,
a suitable default will be selected automatically (one of C.UTF-8,
The "kernel" policy, which keeps kernel names declared to be
"persistent", now works again as documented.
- * kernel-install script now optionally takes a path to an initrd file,
- and passes it to all plugins.
+ * kernel-install script now optionally takes the paths to one or more
+ initrd files, and passes them to all plugins.
* The mincore() system call has been dropped from the @system-service
system call filter group, as it is pretty exotic and may potentially
parse backslashes inside quotes literally, matching the behaviour of
POSIX shells.
+ * udevadm trigger, udevadm control, udevadm settle and udevadm monitor
+ now automatically become NOPs when run in a chroot() environment.
+
+ * The tmpfiles.d/ "C" line type will now copy directory trees not only
+ when the destination is so far missing, but also if it already exists
+ as a directory and is empty. This is useful to cater for systems
+ where directory trees are put together from multiple separate mount
+ points but otherwise empty.
+
+ * A new function sd_bus_close_unref() (and the associated
+ sd_bus_close_unrefp()) has been added to libsystemd, that combines
+ sd_bus_close() and sd_bus_unref() in one.
+
+ * udevadm control learnt a new option for --ping for testing whether a
+ systemd-udevd instance is running and reacting.
+
+ * udevadm trigger learnt a new option for --wait-daemon for waiting
+ systemd-udevd daemon to be initialized.
+
+ Contributions from: Aaron Plattner, Alberts Muktupāvels, Alex Mayer,
+ Ayman Bagabas, Beniamino Galvani, Burt P, Chris Down, Chris Lamb, Chris
+ Morin, Christian Hesse, Claudius Ellsel, dana, Daniel Axtens, Daniele
+ Medri, Dave Reisner, David Santamaría Rogado, Diego Canuhe, Dimitri
+ John Ledkov, Evgeny Vereshchagin, Fabrice Fontaine, Filipe
+ Brandenburger, Franck Bui, Frantisek Sumsal, govwin, Hans de Goede,
+ James Hilliard, Jan Engelhardt, Jani Uusitalo, Jan Janssen, Jan
+ Synacek, Jonathan McDowell, Jonathan Roemer, Jonathon Kowalski, Joost
+ Heitbrink, Jörg Thalheim, Lance, Lennart Poettering, Louis Taylor,
+ Lucas Werkmeister, Mantas Mikulėnas, Marc-Antoine Perennou,
+ marvelousblack, Michael Biebl, Michael Sloan, Michal Sekletar, Mike
+ Auty, Mike Gilbert, Mikhail Kasimov, Neil Brown, Niklas Hambüchen,
+ Patrick Williams, Paul Seyfert, Peter Hutterer, Philip Withnall, Roger
+ James, Ronnie P. Thomas, Ryan Gonzalez, Sam Morris, Stephan Edel,
+ Stephan Gerhold, Susant Sahani, Taro Yamada, Thomas Haller, Topi
+ Miettinen, YiFei Zhu, YmrDtnJu, YunQiang Su, Yu Watanabe, Zbigniew
+ Jędrzejewski-Szmek, zsergeant77, Дамјан Георгиевски
+
+ — Berlin, 2019-02-14
+
CHANGES WITH 240:
* NoNewPrivileges=yes has been set for all long-running services
file descriptors currently enforced (fs.file-max, fs.nr_open,
RLIMIT_NOFILE hard, RLIMIT_NOFILE soft) we turn off the first two,
and keep only the latter two. A set of build-time options
- (-Dbump-proc-sys-fs-file-max=no and -Dbump-proc-sys-fs-nr-open=no)
+ (-Dbump-proc-sys-fs-file-max=false and -Dbump-proc-sys-fs-nr-open=false)
has been added to revert this change in behaviour, which might be
an option for systems that turn off memcg in the kernel.
* Journal messages that are generated whenever a unit enters the failed
state are now tagged with a unique MESSAGE_ID. Similarly, messages
generated whenever a service process exits are now made recognizable,
- too. A taged message is also emitted whenever a unit enters the
+ too. A tagged message is also emitted whenever a unit enters the
"dead" state on success.
* systemd-run gained a new switch --working-directory= for configuring
up a private /dev/ file system containing devices nodes — but when
these are opened they don't work.
- At this point is is recommended that container managers utilizing
+ At this point it is recommended that container managers utilizing
user namespaces that intend to run systemd in the payload explicitly
block mknod() with seccomp or similar, so that the graceful fallback
logic works again.
not created by systemd-sysusers anymore.
NOTE: This has a chance of breaking nss-ldap and similar NSS modules
- that embedd a network facing module into any process using getpwuid()
+ that embed a network facing module into any process using getpwuid()
or related call: the dynamic allocation of the user ID for
systemd-resolved.service means the service manager has to check NSS
if the user name is already taken when forking off the service. Since
PrivateDevices=, ProtectSystem=, …) are used. This option is hence
primarily useful for services that do not use any of the other file
system namespacing options. One such service is systemd-udevd.service
- wher this is now used by default.
+ where this is now used by default.
* ConditionSecurity= gained a new value "uefi-secureboot" that is true
when the system is booted in UEFI "secure mode".
systemd-logind to be safe. See
https://cgit.freedesktop.org/xorg/xserver/commit/?id=dc48bd653c7e101.)
- * All kernel install plugins are called with the environment variable
+ * All kernel-install plugins are called with the environment variable
KERNEL_INSTALL_MACHINE_ID which is set to the machine ID given by
- /etc/machine-id. If the file is missing or empty, the variable is
- empty and BOOT_DIR_ABS is the path of a temporary directory which is
- removed after all the plugins exit. So, if KERNEL_INSTALL_MACHINE_ID
- is empty, all plugins should not put anything in BOOT_DIR_ABS.
+ /etc/machine-id. If the machine ID could not be determined,
+ $KERNEL_INSTALL_MACHINE_ID will be empty. Plugins should not put
+ anything in the entry directory (passed as the second argument) if
+ $KERNEL_INSTALL_MACHINE_ID is empty. For backwards compatibility, a
+ temporary directory is passed as the entry directory and removed
+ after all the plugins exit.
Contributions from: Adrian Heine né Lang, Aggelos Avgerinos, Alexander
Kurtz, Alexandros Frantzis, Alexey Brodkin, Alex Lu, Amir Pakdel, Amir
* We temporarily dropped the "-l" switch for fsck invocations,
since they collide with the flock() logic above. util-linux
upstream has been changed already to avoid this conflict,
- and we will readd "-l" as soon as util-linux with this
+ and we will re-add "-l" as soon as util-linux with this
change has been released.
* The dependency on libattr has been removed. Since a long
* Socket units gained a new Symlinks= setting. It takes a list
of symlinks to create to file system sockets or FIFOs
created by the specific Unix sockets. This is useful to
- manage symlinks to socket nodes with the same life-cycle as
+ manage symlinks to socket nodes with the same lifecycle as
the socket itself.
* The /dev/log socket and /dev/initctl FIFO have been moved to
where the local administrator's configuration in /etc always
overrides any other settings.
- Contributions fron: Ali H. Caliskan, Alison Chaiken, Bas van
+ Contributions from: Ali H. Caliskan, Alison Chaiken, Bas van
den Berg, Brandon Philips, Cristian Rodríguez, Daniel Buch,
Dan Kilman, Dave Reisner, David Härdeman, David Herrmann,
David Strauss, Dimitris Spingos, Djalal Harouni, Eelco
users who are logged out cannot continue to consume IPC
resources. This covers SysV memory, semaphores and message
queues as well as POSIX shared memory and message
- queues. Traditionally, SysV and POSIX IPC had no life-cycle
+ queues. Traditionally, SysV and POSIX IPC had no lifecycle
limits. With this functionality, that is corrected. This may
be turned off by using the RemoveIPC= switch of logind.conf.
systemd-networkd.
* The sd-bus.h bus API gained a new sd_bus_track object for
- tracking the life-cycle of bus peers. Note that sd-bus.h is
+ tracking the lifecycle of bus peers. Note that sd-bus.h is
still not a public API though (unless you specify
--enable-kdbus on the configure command line, which however
voids your warranty and you get no API stability guarantee).
projects / thirdparty / systemd.git / blobdiff